Open Bug 1079403 (mobile-passwords) Opened 5 years ago Updated 2 years ago
[meta] Mobile client-side password system improvements
There are a few small-scoped improvements we can make to the password system without any new Cloud Service work.
Coincidentally, I was originally hired by Mozilla to "make a better password manager", a project which was canned in favor of Firefox Accounts/PICL.
OS: Linux → Android
Hardware: x86_64 → All
Related: I recently proposed adding an auto-remember password feature to Firefox. https://www.lucidchart.com/publicSegments/view/542acc58-08d4-4e4f-878f-2b060a00c285/image.png Would be an improvement for two reasons: 1. Would save users a click when they just wanted to save all passwords 2. Would also allow them to view the username and change it if guessed wrong
I started working on an add-on to try out some of the client-side password improvements we have been talking about. I thought I'd post it to get some feedback and ideas. The add-on is here and only works in Fennec for now: http://people.mozilla.org/~mfinkle/passwords/passwords.xpi source code: https://github.com/mfinkle/passwords It adds a "Password Tools" menu to the normal "Tools" menu: http://people.mozilla.org/~mfinkle/passwords/fennec-passwords-menu.png You can try it out on your own data, but if you want to play around in a clean profile, use the "Add Fake Logins" action to add some test data to your profile. Then use the "List" action to display a simple Password manager: http://people.mozilla.org/~mfinkle/passwords/fennec-passwords-list.png Tap on a row to see some details: http://people.mozilla.org/~mfinkle/passwords/fennec-passwords-list-detail.png I ported most of the excellent "zxcvbn" password strength checker from Dropbox into the add-on. More info on it here: https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength-estimation/ You can run an audit on your login data using the "Audit" action: http://people.mozilla.org/~mfinkle/passwords/fennec-passwords-audit.png I created 3 types of audits for now: Weak passwords, Duplicate passwords (same password used on multiple sites) and Old passwords (passwords that have not been changed in over 90 days) To help create stronger passwords, I added a simple (crappy) UI to make passwords based on two strategies: 1. Use the website domain and a master password, then hash using MD5 (or something) http://people.mozilla.org/~mfinkle/passwords/fennec-passwords-generate-domain.png 2. Pick the parts of your password from different character sets (lowercase, uppercase, digits and symbols), with minimum character counts for each and a way to exclude some characters. The result is created by randomly picking characters from the selected sets. http://people.mozilla.org/~mfinkle/passwords/fennec-passwords-generate-sets.png Lastly, I added a feature that let's you "peek" at a password field as plain text for 5 seconds. It's on the menu, but use the ActionBar instead: http://people.mozilla.org/~mfinkle/passwords/fennec-passwords-peek-before.png http://people.mozilla.org/~mfinkle/passwords/fennec-passwords-peek-after.png
I plan to start making some toolkit patches for the PasswordGenerator and PasswordStrength JSMs. I also want to start making some Fennec patches for an interactive password strength panel that displays below a password <input> and shows the strength as you type. I should give you a way to see the reasoning for the strength score, as well as offer a way to generate (and save) a stronger password.
(In reply to Mark Finkle (:mfinkle) from comment #4) > I started working on an add-on to try out some of the client-side password > improvements we have been talking about. I thought I'd post it to get some > feedback and ideas. > Exciting work Mark! > Then use the "List" action to display a simple Password manager: > http://people.mozilla.org/~mfinkle/passwords/fennec-passwords-list.png Suggested additions: * Search * Sort by (alpha, (f)recently used) * Deletion from here? * Where can I manually add a set of credentials? > Tap on a row to see some details: > http://people.mozilla.org/~mfinkle/passwords/fennec-passwords-list-detail.png Suggested additions: * Delete * Edit * Show password > I ported most of the excellent "zxcvbn" password strength checker from > Dropbox into the add-on. More info on it here: > https://tech.dropbox.com/2012/04/zxcvbn-realistic-password-strength- > estimation/ > > You can run an audit on your login data using the "Audit" action: > http://people.mozilla.org/~mfinkle/passwords/fennec-passwords-audit.png > > I created 3 types of audits for now: Weak passwords, Duplicate passwords > (same password used on multiple sites) and Old passwords (passwords that > have not been changed in over 90 days) I have mixed feelings about these analysis tools for the typical user. Here's why. Ideally, we should all use long, unique, computer generated passwords. But we don't, for a variety of reasons. For example, good luck using a 20 random char password for your iOS app store password, unless you really love mobile typing acrobatics. There are other rational coping mechanisms that result in less than optimal, but probably still ok passwords. I personally don't like shaming the user because they had to compromise to deal with password hell. I don't know what the right decision is here, but I'd start with a less noisy analyzer and focus on obvious big wins. Thoughts: * Point out really dirty passwords, like ones on the top 100 most commonly used list. * Visualize password re-use. This is where bad stuff happens. Re-using your facebook password at a music lyric site. Randomly generated passwords are obviously a solution here, but there are other more human-friendly options, too, that we could propose to the user. > To help create stronger passwords, I added a simple (crappy) UI to make > passwords based on two strategies: > 1. Use the website domain and a master password, then hash using MD5 (or > something) > http://people.mozilla.org/~mfinkle/passwords/fennec-passwords-generate- > domain.png > > 2. Pick the parts of your password from different character sets (lowercase, > uppercase, digits and symbols), with minimum character counts for each and a > way to exclude some characters. The result is created by randomly picking > characters from the selected sets. > http://people.mozilla.org/~mfinkle/passwords/fennec-passwords-generate-sets. > png Simplify. I'd prefer fewer synthesizer controls in the "Generate from Sets". Ideally, there is only one option: give me a pretty good password that likely meets the criteria imposed by most sites. I assert that error recovery here can be handled by manually editing. I don't like the "Generate from Domain" option because it has no good solution to the "Change just this password I generated by domain, but not my others that I generated by domain". One thing about password generation: we better remember it for the user and bind it to the site/domain, and if we don't for some reason (and we won't sometimes), then we need to provide sufficient recovery mechanisms. These kinds of improvements are important and necessary, but we must not forget the dirty business of improving the low level capturing and filling. :)
Talked to antlam today, and we worked out a passwords UI for about:passwords via whiteboard. This covers the main actions (reveal, copy password, open-page-and-fill, delete) as well as an insertion point for how we'd want to do add/edit passwords.
Depends on: 1114821
Attaching a WIP of the whiteboard sketch. UI is very much in flux ATM, the idea is just to have these contextual actions related to the list item appear near it. Maybe the action bar might be a better area for this. Note: the icons are all reused from other parts of our UI (same sizes and color too). + is from tablet tool bar, magnifying glass and 'x' is from mobile/tablet tool bar.
Comment on attachment 8540879 [details] prev_pw_mock1.png Mocks have been updated in bug 1101741
Attachment #8540879 - Attachment is obsolete: true
Summary: [meta] Client-side password system improvements → [meta] Mobile client-side password system improvements
At first I didn't read the complete bug report here so if I'm repeating a request then sorry for this. For a nice thing how you can do a good password manager look at this addon: https://addons.mozilla.org/en-US/android/addon/mobile-password-manager/ It has some nice feature, including the possibility to edit passwords on Android. Secondly maybe a kind of - optional - restoring function would be useful (depending how "easy" it is to delete password). Maybe let the user choose how many hours or days a password will just disappears from the (normal view of the) password manager, but is still somehow restorable. This of course would also be an idea for the desktop password manager.
No longer depends on: mobile-about-passwords-v1
Re-triaging per https://bugzilla.mozilla.org/show_bug.cgi?id=1473195 Needinfo :susheel if you think this bug should be re-triaged.
Priority: -- → P5
You need to log in before you can comment on or make changes to this bug.